Archive | 2010

IOCTL Fuzzer is a tool designed to automate the task of searching vulnerabilities in Windows kernel drivers by performing fuzz tests on them.

The fuzzer’s own driver hooks NtDeviceIoControlFile in order to take control of all IOCTL requests throughout the system.

While processing IOCTLs, the fuzzer will spoof those IOCTLs conforming to conditions specified in the configuration file. A spoofed IOCTL is identical to the original in all respects except the input data, which is changed to randomly generated fuzz.

January 20, 2019 - 235 Shares

Another case of a certain industry lagging behind, I mean come-on – who seriously still using proprietary cryptography algorithms in 2010? Especially only 40 or 48-bit protocols, with the processing power available on hand now and new techniques like GPU based cracking – that just doesn’t cut it.

The latest discovery of such implementations was in the immobiliser technology used by car companies to secure their expensive vehicles. A researcher Karsten Nohl has exposed these weaknesses at the recent Embedded Security in Cars conference in Germany.

Weak cryptography means that car engine immobiliser technology has become easy for crooks to circumvent.

Nothing weaker than 128-bit AES is considered sufficient protection for e-commerce transactions, but car manufacturers are still using proprietary 40-bit and 48-bit encryptions protocols that are vulnerable to brute force attacks. Worse still, one unnamed manufacturer used the Vehicle Identification Number (VIN) as the “secret” key for the immobiliser.

The weakness of the technology was exposed in security research by ethical hacker Karsten Nohl of Security Research Labs, who links the weakness of the technology with a growth in car thefts in Germany last year, following years in decline.

Nohl outlined preliminary findings from his research at the recent Embedded Security in Cars conference, in Bremen, Germany. His research covers the communications between card immobilisers and engine electronic systems in dozens of cars. For example, Nohl was able to crack the Hitag 2 car immobiliser algorithm used by Dutch firm NXP Semiconductors in around six hours.

And using the VIN number as the secret key? Well, that’s not very secret is it? It’s akin to using the MAC address of a computer as the SSH secret key, no one in their right mind would do that. I guess that’s what happens when you leave the engineers to implement cryptography schemes without having anyone around handy with the cluestick.

I’d imagine some of these systems are protecting extremely expensive cars, so some basic equipment, some strong crypto knowledge and 6 hours and you can land yourself a $100,000 car. Not bad for a days work.

The research builds on work by other computer scientists and encryption experts dating back at least five years. In 2005 Ari Juels of RSA Labs and researchers at Johns Hopkins University in Baltimore, Maryland, circumvented the encryption system used by Texas Instruments.

Manufacturers of car immobiliser technology have defended the robustness of their technologies.

“To our knowledge the direct causal link between the failure to adopt AES systems and the rise in car theft cannot be drawn,” Thomas Rudolph of NXP told New Scientist.

Texas Instruments claimed its proprietary cryptographic systems might be stronger than AES. Nonetheless both firms are in the process of phasing out their home-cooked crypto tech in favour of industry standard encryption systems based on 128-bit AES.

And what it is with TI claiming their system MIGHT be stronger than AES? When did ‘might‘ ever give anyone confidence? In all honesty, there is no reason at all for using proprietary algorithms or implementations. Those out in public like AES have been tried, tested and approved by the greatest crypto minds in the World, I don’t care how smart you think your employees are – but trust me they aren’t as smart as the people scrutinising AES.

I hope to see all companies using weak proprietary protocols in any industry phase them out and switch to tried and tested industry algorithms.

Download the source package as below, then import the WackoPicko database into MySQL using a command like the following:

1

mysql-u-p<current.sql

This will create the MySQL user WackoPicko with the password webvuln!@# as well as create the WackoPicko table. The final step is to enable read/write access to the upload directory of WackoPicko for the webserver user. An easy way to do this is:

1

chmod777-Rupload

Known Issues

The search bar doesn’t appear in Internet Explorer.

There are some onions hanging around (particularly in the upload folder) but I kept them there to preserve parity with the version used during the tests.

WackoPicko was developed with the assumption that is was running as the root application as the URL and won’t work running as a directory.

January 20, 2019 - 235 Shares

An e-mail from the Gawker CTO (Tom Plunkett) has been posted online and it outlines the security improvements that Gawker are planning to implement after the recent massive breach of user passwords from their database.

The improvements are pretty standard security practice, but it just shows in these days of rapid development and the focus being on features rather than security – bad things can happen.

Gawker Media’s CTO has outlined a series of security changes designed to shore up the company’s IT operations following an attack last week that compromised up to 1.4 million accounts.

The company was unprepared to respond to an attack in which user data and passwords were posted to peer-to-peer file-sharing networks, wrote Tom Plunkett in an e-mail memo to Gawker staff on Friday. The e-mail was reposted on Jim Romenesko’s blog on the Poynter journalism site. A group called Gnosis claimed responsibility for the hack, which exploited a flaw in the source code of Gawker’s Web servers.

“Our development efforts have been focused on new product while committing relatively little time to reviewing past work,” Plunkett wrote. “This is often a fatal mistake in software development and was central to this vulnerability.”

As a result, Gawker has done a security audit of the sites affected, which include Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot.

Gawker is now mandating the use of SSL (Secure Sockets Layer) encryption for employees with company accounts using Google Apps. Also, if those employees have access to sensitive legal, financial or account data, two-factor authentication must be used, Plunkett wrote.

Most of the things would have been picked up if they had ever done any kind of internal ISMS audit (based perhaps on something like ISO27001) – which bans all chat applications except for Skype as that encrypts the chats.

Using things like SSL are pretty obvious and should be forced on all login pages on all web applications – with FireSheep bring that issues to the forefront recently.

I’d say the most sensible move would be considering moving away from the local database model and using something like OAuth – that would make sense.

Gawker also will not allow employees to discuss sensitive information on chat applications, including AOL’s Instant Messenger and Campfire.

For users of its websites, Plunkett wrote that Gawker wants to move away from storing information such as e-mail and passwords and use systems such as OAuth.

OAuth is an authentication protocol that allows people to use the same login information for multiple services and share data through an API (application programming interfaces). OAuth provides a token that grants access to different applications, which do not see users’ original login credentials. It is being used now by Google, Twitter and Facebook, among other services.

Gawker will also allow people to create a “disposable” account with its sites in order to leave comments. Gawker will not store e-mail addresses or passwords for those accounts. The accounts can be used as long as the person remembers a key code, Plunkett wrote.

Since the breach, Gawker has been in the process of notifying those who are affected and reminding them to change their passwords, especially if they used the same password for other Web services. Twitter saw a raft of spam soon after the Gawker breach, which illustrated that some people used the same password on both services.

It’s good to see Gawker taking some pro-active measures rather than the normal arrogance we are used to. I think the disposable token based account is a good idea too as often I want to leave a comment on some site or another but the sign-up process, e-mail validation and so on puts me off.

I hope Gawker has gotten around to notifying everyone who had an account that was compromised as sadly many people use the same password and username/e-mail combo for all their online site accounts.

January 20, 2019 - 235 Shares

Honggfuzz is a general-purpose fuzzing tool. Given a starting corpus of test files, Hongfuzz supplies and modifies input to a test program and utilize the ptrace() API/POSIX signal interface to detect and log crashes.

Basically it’s a simple, easy to use via command-line interface, providing nice analysis of software crashes in a simple form of file names.

It has been used to find a few (possibly exploitable) bugs in some major software packages including freetype2, librsvg and libtiff.

Features

Easy setup: No complicated configuration files or setup necessary — Hongfuzz can be run directly from the command line.

Fast: Multiple Hongfuzz instances can be run simultaneously for more efficient fuzzing.

Powerful analysis capabilities: Hongfuzz will use the most powerful process state analysis (e.g. ptrace) interface under a given OS.